diff options
| author | Mike Lockwood <lockwood@google.com> | 2014-11-12 14:20:06 -0800 |
|---|---|---|
| committer | Mike Lockwood <lockwood@google.com> | 2014-11-12 16:08:37 -0800 |
| commit | ab063847e6e893740749029a04cce1f6b7345ed5 (patch) | |
| tree | 8b840e9152cfa638aa354a0379962a89914e0006 /media/mtp/MtpDataPacket.h | |
| parent | 745602d87607521f4fe84c4f3a6388fbdb6a867c (diff) | |
| download | frameworks_av-ab063847e6e893740749029a04cce1f6b7345ed5.zip frameworks_av-ab063847e6e893740749029a04cce1f6b7345ed5.tar.gz frameworks_av-ab063847e6e893740749029a04cce1f6b7345ed5.tar.bz2 | |
MTP: add strict bounds checking for all incoming packets
Previously we did not sanity check incoming MTP packets,
which could result in crashes due to reading off the edge of a packet.
Now all MTP packet getter functions return a boolean result
(true for OK, false for reading off the edge of the packet)
and we now return errors for malformed packets.
Bug: 18113092
Change-Id: Ic7623ee96f00652bdfb4f66acb16a93db5a1c105
Diffstat (limited to 'media/mtp/MtpDataPacket.h')
| -rw-r--r-- | media/mtp/MtpDataPacket.h | 25 |
1 files changed, 13 insertions, 12 deletions
diff --git a/media/mtp/MtpDataPacket.h b/media/mtp/MtpDataPacket.h index 2b81063..13d3bd9 100644 --- a/media/mtp/MtpDataPacket.h +++ b/media/mtp/MtpDataPacket.h @@ -30,7 +30,7 @@ class MtpStringBuffer; class MtpDataPacket : public MtpPacket { private: // current offset for get/put methods - int mOffset; + size_t mOffset; public: MtpDataPacket(); @@ -42,17 +42,18 @@ public: void setTransactionID(MtpTransactionID id); inline const uint8_t* getData() const { return mBuffer + MTP_CONTAINER_HEADER_SIZE; } - inline uint8_t getUInt8() { return (uint8_t)mBuffer[mOffset++]; } - inline int8_t getInt8() { return (int8_t)mBuffer[mOffset++]; } - uint16_t getUInt16(); - inline int16_t getInt16() { return (int16_t)getUInt16(); } - uint32_t getUInt32(); - inline int32_t getInt32() { return (int32_t)getUInt32(); } - uint64_t getUInt64(); - inline int64_t getInt64() { return (int64_t)getUInt64(); } - void getUInt128(uint128_t& value); - inline void getInt128(int128_t& value) { getUInt128((uint128_t&)value); } - void getString(MtpStringBuffer& string); + + bool getUInt8(uint8_t& value); + inline bool getInt8(int8_t& value) { return getUInt8((uint8_t&)value); } + bool getUInt16(uint16_t& value); + inline bool getInt16(int16_t& value) { return getUInt16((uint16_t&)value); } + bool getUInt32(uint32_t& value); + inline bool getInt32(int32_t& value) { return getUInt32((uint32_t&)value); } + bool getUInt64(uint64_t& value); + inline bool getInt64(int64_t& value) { return getUInt64((uint64_t&)value); } + bool getUInt128(uint128_t& value); + inline bool getInt128(int128_t& value) { return getUInt128((uint128_t&)value); } + bool getString(MtpStringBuffer& string); Int8List* getAInt8(); UInt8List* getAUInt8(); |